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Abstract 

An announcement scheme is a system that facilitates vehicles to 
broadcast road-related information in vehicular ad hoc networks (VANETs) 
in order to improve road safety and efficiency. Here we propose a new 
cryptographic primitive for public updating of reputation score based 
on the Boneh-Boyen-Shacham short group signature scheme. This al¬ 
lows private reputation score retrieval without a secure channel. Using 
this we devise a privacy-aware announcement scheme using reputation 
systems which is reliable, auditable and robust. 

*The initial idea of this material was published in the WiVeC proceedings [5] and a 
comprehensive solution was presented in CTTD 2013 (no proceedings) |l0]. This paper is 
a full version of the whole work. 
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1 Introduction 


Vehicular ad hoc networks (VANETs) allow vehicles to exchange information 
about vehicle, road, and traffic conditions. We call a system that facilitates 
vehicles to exchange road-related information an announcement scheme. If 
the road-related information exchanged in an announcement scheme is reli¬ 
able then this would enable a safer and more efficient travelling environment. 
We say that a message is reliable if it reflects reality. Unreliable messages 
may result in various consequences, for example journey delays or accidents. 
Unreliable messages may be a result of vehicle hardware malfunction. For 
example, if a sensor in a vehicle is faulty then messages generated from the 
faulty sensor may be false. Unreliable messages can also be generated in¬ 
tentionally. For example, some vehicles may generate and broadcast false 
road congestion messages with the intention to deceive other vehicles into 
avoiding certain routes. In extreme cases, unreliable message may lead to 
injuries and even deaths. Hence, an announcement should have the following 
functionalities: 

• Message reliability evaluation. Vehicles should be able to evaluate the 
reliability of received messages. 

• Auditability. Vehicles that broadcast unreliable messages should be 
identified and revoked. 

In addition, the announcement scheme should satisfy the following secu¬ 
rity requirements: 

• Robustness. The accuracy of message reliability evaluation and au¬ 
ditability should not be affected by attacks, from both internal and 
external adversaries. 

• Privacy awareness. The privacy of vehicles should be protected, since 
the information about vehicle position is often sensitive to vehicle users. 
The vehicle privacy has two facets as follows: 
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— Anonymity. The identity of a vehicle should not be revealed from 
data broadcast by the vehicle. 

— Unlinkability. Multiple pieces of data broadcast by the same ve¬ 
hicle should not be linked to each other. 

In [9] a privacy-aware reputation-based announcement scheme for VANETs 
was proposed. This scheme relies on a centralised reputation system with an 
off-line trusted authority, and uses group signatures to allow vehicles to make 
authenticated announcements anonymously. An announcement will be ac¬ 
cepted as reliable if the announcing vehicle has a sufficiently high reputation. 
The reputation reflects the extent to which the vehicle has announced reli¬ 
able messages in the past. It is computed and updated based on feedback 
reported by other vehicles. The reputation scores of all vehicles are managed 
by a central reputation server. This scheme has two fundamental weaknesses: 
hrstly, the decision as to whether an announcement is trustworthy or not is 
made by the reputation server rather than the receiving vehicle, since only 
vehicles deemed reputable by the reputation server are given signing keys, 
and the signatures do not reveal what the reputation scores are. Secondly, 
a secure channel is required for the retrieval of new signing keys (and hence 
new reputation status). In [U] a brief sketch was provided to indicate how 
these weaknesses may be overcome. Here we describe in full a new crypto¬ 
graphic primitive which enables the design of a scheme to address these two 
weaknesses: 

1. We propose a new tool for public updating of reputation score based 
on the Boneh-Boyen-Shacham (BBS) short group signature scheme [S]. 
When the reputation score of a group member 14 changes, 14 is able 
to update its signing key using a public value in such a way that its 
signature is bound to the new reputation score. This signature can be 
verihed by other group members, again using a public value. This over¬ 
comes the signihcant problem of having to establish a secure channel 
for reputation score retrieval. 
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2. Using this new cryptographic primitive we improve the scheme of [5] to 
support flexible decision-making on the part of the receiving vehicle. If 
a reputation score is visible in a group signature then a receiving vehicle 
may decide whether to trust the announcement depending on the type 
of announcement and the announcing vehicle’s reputation score. Our 
scheme here supports this. 

2 Related Work 

There have been a number of announcement schemes proposed to evaluate 
the reliability of messages in VANETs. These can be categorised into two 
main groups: threshold method and reputation-based method. 

A majority of announcement schemes, e.g. [la [ISl Uni EH EH EHl 122] , use 
the threshold method: a message is believed reliable if it has been announced 
by multiple distinct vehicles whose number exceeds a threshold within a 
time interval. This method gives rise to the problem of distinguishability of 
message origin [TS] - how to tell if two messages are made by two distinct 
vehicles if vehicles are anonymous and their activities are unlinkable. Solu¬ 
tions to this problem include using message linked group signatures |31] and 
a combination of Direct Anonymous Attestation m and 1-time anonymous 
authentication [27] . In addition, this method is only suitable for event-driven 
messages, where multiple vehicles may broadcast the same message. It is not 
suitable for beacon messages, where a beacon is only broadcast by one vehi¬ 
cle. 

There have been several reputation-based methods, such as mEHEni 
EHIEIES]. The schemes in miESlES] adopt a decentralised infrastructure 
while those in [201 E] EH] use a centralised system. In [20] Li et ah proposed 
a reputation-based announcement scheme that aims to provide message re¬ 
liability evaluation, auditability, and robustness. A vehicle periodically re¬ 
trieves its reputation certificate, which contains its reputation score, from 
the central authority. When a vehicle broadcasts a message, it attaches its 
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reputation certificate to the message. A receiving vehicle extracts the repu¬ 
tation score and then infers the reliability of the message. A vehicle whose 
reputation score decreases beyond a threshold is revoked by the central au¬ 
thority. This is achieved by no longer providing the vehicle its reputation 
certihcate in the future. However, this scheme [20] lacks the provision of 
privacy protection to vehicles: messages and feedback are linkable and not 
anonymous. An adversary is able to conduct a profiling attack to learn the 
moving trace of a target vehicle. This drawback may affect the willingness 
of vehicles to participate in the announcement scheme. The scheme in [2S] 
suffers from the same drawback. This drawback is rectihed in the scheme 
of j9], which we will describe in detail in Section]^ On the other hand, [7j 
considers how a reputation-based scheme may be extended to allow multihop 
communications. 

In [13], upon receiving a message, a vehicle can append its own opinion 
about its reliability to the message. This message is then forwarded, along 
with the appended opinion. In this scheme, a vehicle verifies the reliability 
of a message by aggregating all the opinions appended to the message. How¬ 
ever, its robustness against possible collusion of adversaries is not addressed. 
Vehicle privacy is also not provided by this scheme. Besides, receiving vehi¬ 
cles have to bear a heavy computational burden in order to verify the digital 
signature signed on each opinion - every vehicle has to verify many signa¬ 
tures before appending its own. In addition, implementation details, such as 
initialisation and malicious vehicle revocation, are not discussed. 

In [23] , the reliability of a message is evaluated according to three differ¬ 
ent types of trust value regarding the message generating vehicle: role-based 
trust, experience-based trust and majority-based trust. Role-based trust as¬ 
sumes that a vehicle with a certain predehned role, such as traffic patrol 
or law enforcing authorities, has a high trust value. Majority-based trust is 
similar to the threshold method that we discussed earlier. Experience-based 
trust is established based on direct interactions: a vehicle trusts another 
vehicle if it has received many reliable messages from the other vehicle in 
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the past. A similar approach to experienced-based trust was also proposed 
in m- A drawback of this approach is that it requires vehicles to establish a 
long-term relationship with each other, which may not be practical in a large 
VANET environment. Furthermore, it also requires vehicles to store infor¬ 
mation regarding vehicles that they have encountered in the past. This may 
lead to not just a demand for storage but also a demand for rapid search¬ 
ing through the information to make a decision which may result in a lag 
in responding to potentially critical events.. Lastly, robustness and vehicle 
privacy are not provided. 

In [26], a vehicle conducts behaviour analysis about another vehicle based 
on some observable information about the target vehicle, such as its positions, 
movements and messages broadcast in the past. The result of this analysis is 
used to determine the trustworthiness of the target vehicle and the reliability 
of messages broadcast by it. However, in this scheme, vehicles have to make 
observations before making a decision, which may not be feasible in VANETs. 
In addition, robustness and vehicle privacy are not provided by this scheme. 

Compared with existing threshold and reputation-based schemes, the 
schemes pnii feature the following: 

• They enable immediate evaluation: a receiving vehicle does not require 
multiple messages in order to verify the reliability of a message. 

• They support reliability evaluation of both beacon and event-driven 
messages. 

• They support revocation of maliciously-behaving vehicles. 

• They provide strong robustness against external adversaries, and ro¬ 
bustness against internal adversaries to a reasonably good level. 

• They achieve a good level of efficiency. 

In addition to the features above, the scheme [H] also provides a good 
level of vehicle privacy. 
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3 Privacy-aware reputation-based announce¬ 
ment scheme 

For completeness, we include a brief description of the privacy-aware reputation- 
based announcement scheme [9]. We describe hrst the algorithms and pro¬ 
tocols that are required: 

• A secure and privacy-aware mutual entity authentication protocol MEA^. 
We use MEA^{A —)■ B : m} to denote the situation where the message 
m is sent from AtoB where both communicating parties A and B are 
assured of: 1) the identity of each other, 2) the freshness of the com¬ 
munication, and 3) the protection of the communication against all 
entites (apart from A and B) with respect to anonymity and unlinka- 
bility. This protocol will be used by vehicles to retrieve their reputation 
and report feedback. It can be instantiated by using a secure proba¬ 
bilistic encryption scheme to establish an encrypted channel, and then 
executing a suitable authentication protocol in the encrypted channel. 

• A secure and privacy-aware two-origin authentication protocol TOA^. 
We use TOA^{A : mi, m 2 : C} to denote the situation where the mes¬ 
sage {mi, m 2 ) is broadcast by A, and a recipient is given the assurance 
that: 1) mi originates from a legitimate (but unidentihed) entity, 2) 
m 2 originates from a third party C, and 3) m 2 is bound to messages 
originating from A. This protocol will be used by vehicles to broadcast 
messages. It can be implemented using, for example, a group signature 
scheme. 

• An aggregation algorithm Aggr, which will be used to aggregate feed¬ 
back and produce reputation scores for vehicles. 

• A data analysis algorithm Detect, which will be used to detect malicious 
vehicles based on feedback. 


7 


• A time discount function TimeDiscount. This is a non-increasing func¬ 
tion whose range is [0,1]. It takes as input a non-negative value repre¬ 
senting a time difference, and outputs a number between 0 and 1. One 
simple example is: 



if 

0 if t > Tirf, 


The TimeDiscount function is used to determine the freshness of a ve¬ 
hicle’s reputation score in order to prevent abuse of the system. For 
instance, a vehicle may continue to announce messages using its old 
reputation credential with higher reputation score in order to avoid 
retrieving its latest reputation credentials that may have lower reputa¬ 
tion score after misbehavior. The TimeDiscount function makes sure 
that the reputation score is “discounted” with time. 

In this case we take the absolute value of the difference between the 
current time when a message is received and the time the reputation 
certihcate was retrieved. An older reputation certihcate gives a larger 
difference in value which results in a lower value of discounted reputa¬ 
tion score. This is by no means the only possibility for time discount 
functions but we have chosen this as the most straightforward option. 

• A threshold T between 0 and 1, which will be used to determine 
whether a reputation score is sufficiently high. 

For completion we will introduce notation for a group signature scheme 
that will be used to implement TOA^ in [9]: 

A secure group signature scheme ISlEli, denoted by GS = (GKeyGen, 
GJoin, GSign, GVerify, Open) where GKeyGen, GJoin, GSign, GVerify and Open 
denote group public key generation, group member secret key generation, 
group member signing, group verihcation, and signer revealing algorithms, 
respectively. All members of the group has access to the group public key 
while each individual member is given its own group member secret key. A 


group signature scheme is a digital signature scheme that has the following 
properties: 

• Each group member can sign messages (using its group member secret 
key). 

• A receiver can verify whether the signature was signed by a group mem¬ 
ber (using the group public key with the group verihcation algorithm), 
but cannot discover which group member signed it. 

• Any two messages signed by a group member cannot be linked. 

• A signature can be “opened” by a group manager (using the signer 
revealing algorithm), if necessary, so that the group member who signed 
the message is revealed. 

(Note that we treat the entire system as one group. Members join when 
they register and leave when they are revoked and these are all controlled 
centrally. Keys are only updated by time. There is no “group” in the sense of 
dynamic networks where members may join and leave different groups at will. 
There are indeed some work (for example, [HI E2]) where vehicles travelling 
in a certain direction and locality form groups and communicate with each 
other within the group. That would happen within our framework.) 

3.1 Description of the scheme 

This scheme has a centralised architecture with off-line central entities - we 
have taken the centralised approach since there is generally a centrally au¬ 
thority governing the registration and administration of vehicles. Vehicles 
(Ks) are the end users. We assume that Ks are mobile entities that have 
computational and short range wireless communication devices. The func¬ 
tionalities of vehicles include: 

1. generating and broadcasting messages to neighbouring vehicles. 


9 


2. receiving messages from neighbouring vehicles and evaluating their re¬ 
liability, and 

3. reporting feedback. 

There are two logical off-line central entities: a reputation server {RS), 
and an administrative server The RS computes reputation seores for 

vehicles based on feedback reported by vehicles. The functionality of the AS 
includes: 

1. admitting new vehicles into the system and revoking malicious vehicles 
from the system, 

2. providing reputation endorsement for vehicles, and 

3. collecting feedback reported by vehicles. 

The AS has multiple remote wireless communication interfaces so that 
vehicles can intermittently communicate with the AS in a convenient and 
frequent manner (for example once a day). Note that we do not require a 
vehicle to be able to constantly communicate with the AS, meaning that the 
RS and AS are off-line entities. We assume that the RS and AS are trusted 
and interact honestly with each other, and the communication channel be¬ 
tween the RS and AS is secure (authenticated, conhdential, and integrity 
protected). We assume that the AS has a clock. We also assume that a 
vehicle has a clock that is loosely synchronised with the clock of the AS. Al¬ 
though the RS and AS can be separately distributed, one convenient setting 
during an implementation is to make them form a single trusted entity, a 
central authority. We also assume that the communication channels between 
the AS and vehicles, and those between vehicles are publicly open, and thus 
subject to attacks. 

(I) Scheme Initialisation. 
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(a) The AS regulates its clock, and deploys its remote wireless com¬ 
munication interfaces. 

(b) The RS creates a database, and installs Aggr and Detect. 

(c) The AS installs GS, MEA^, TimeDiscount, and T, and initialises 
the cryptographic keys to be used by A5” during future execution 

of MEA+. 

(d) The AS divides the time into time intervals (Tq, Ti, T 2 , • ■ ■). The 

length of a time interval is conhgurable. For example, each time in¬ 
terval can be one day. For each time interval Tj, AS uses GKeyGen 
to generate a group public key pki and uses GJoin to generate a 
set of corresponding group member secret keys {skj, skf, • ■ ■ , sk^) 
where n is the number of vehicles in the system. A secret key skj 
is to be used by vehicle Vj during the time interval Tj. Group 
member secret keys (s/cq, ski, ^^ 2 )''') be used by Vj during 

the corresponding time intervals (Tq, Ti, T 2 , • • ■). The keys sk^ 
for all i and j are kept confidential for future use. 

(II) Vehicle Registration. 

(a) The AS initialises the cryptographic keys to be used by V during 
future execution of MEA^. 

(b) The AS provides V with MEA^, GSign, GVerify, the keys generated 
from the previous step, and {pko,pki,pk 2 , • ■ ■ W^e assume that 
this is conducted over a secure channel. 

(c) The AS requests the RS to create a record in its database for 
vehicle V. 

(Ill) Reputation Retrieval. When a vehicle I 4 drives into the proximity of 
a wireless communication interface during a time interval Tj, whose 
beginning time is denoted by ti, it retrieves its reputation information 
as follows: 
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(a) Vfe and the AS execute MEA^ to establish an encrypted and mu¬ 
tually authenticated channel. 

(b) Upon retrieving (r, Vb,ti), the reputation score r of U, at the cur¬ 

rent time ti, from the RS, the AS computes H’s time discounted 
reputation scores (r', until A time 

discounted reputation score = r ■ TimeDiscount(U+fc — U), 
where ti and R+k denote the beginning times of Tj and Tj+fc, re¬ 
spectively. These scores correspond to the time intervals (Tj, Tj+i, 
• • •, Tj+m), respectively. Note that for 0 < /c < m and 

< 'hr for k > m. In other words, Vb is considered as reputable 
for the time intervals Tj, • ■ ■ , Tj+m. 

(c) The AS sends 14 in the encrypted and mutually authenticated 

channel the group member secret keys {ski,-- - which 

correspond to Tj, • • • , Tj+m- 

(IV) Message Broadeast. A message m is broadcast by 14 as follows: 

(a) 14 retrieves the current time from its clock and identihes its cor¬ 
responding time interval, say Tj. 

(b) 14 uses GSign and sk\ that corresponds to the time interval Tj, 
to generate a signature 6 on {m,i), and forms a message tuple 
M = {m, i,9). 14 then broadcasts M to its neighbouring vehicles. 

(c) Upon receiving M, a receiving vehicle 14 immediately identihes 
the current time interval Tj from its clock. 14 checks if j = i. If 
so then 14 uses GVerify and pki, which corresponds to Tj, to verify 
9. Upon successful verihcation, 14 considers 14 to be reputable, 
and the message m to be reliable. The message tuple M is stored 
for future possible feedback reporting. If j ^ i or the verihcation 
fails then 14 does not consider 14 to be reputable, and discards 
M. 

(V) Feedbaek reporting. When 14 has experience about the event described 
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by message m, it is able to judge the reliability of m. Then Vj. can 
voluntarily report feedback as follows: 

(a) Vr assigns a feedback / based on its experience about the reliability 
of m; 

(b) When W drives into the proximity of a wireless communication 
interface, W and the AS execute MEA'^ to establish an encrypted 
and mutually authenticated channel, and Vj. sends /, M to the AS 
via the channel. 

(c) The AS uses Open and pki to open M, in order to retrieve signer 
Vfe, and sends the RS the tuple (/, H, K)- The RS stores it in the 
database. 

(d) The RS uses Aggr and all feedback stored in the database to up¬ 
date the reputation of H- 

(VI) Vehicle Revocation. The AS revokes the identihed malicious vehicle by 
no longer providing them with new group member secret keys in the 
future. 

In this scheme, a reputation credential of Vj, at time interval T* is repre¬ 
sented by a group member secret key sk\. Hence TOA^ is realised by GS; 
T0A^{I4 : > T) : Hb”} = {m,i,0), where 6 = GS\gngj^b{m,i))- This 

gives a recipient assurance that m originated from a reputable (but uniden- 
tihed) vehicle. 

3.2 Privacy and Robustness 

This scheme is robust against both external and internal adversaries with 
respect to both message fraud (an adversary deceives a vehicle into believing 
that a false message is reliable) and reputation manipulation (an adversary 
unfairly inflates or deflates the reputation score of a target vehicle) attacks. 
It also provides privacy protection (anonymity and unlinkability) for vehicles 
against all adversaries except for the central authority [201 E]. 
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3.3 Extending to multiple reputation levels 

As described in Section [ 1 } we will extend this scheme to support multiple 
reputation levels, thus allowing flexible decision-making for individual vehi¬ 
cles. We will also remove the constraint of having to use a secure channel 
for credential retrieval. This extended scheme will be described in Section 
1^ Before that we will describe in Section a novel modification of a group 
signature scheme which will underpin our new scheme. 

4 An extension of the BBS scheme 

Here we will describe a modification of the BBS [5] group signature scheme 
- in essence, both MEA^ and TOA^ will be implemented using this scheme. 
This will also allow private reputation score retrieval via a public channel. 
While this modified primitive is designed for application within the scenario 
of this paper, it has the potential to be of independent interest. 

4.1 The BBS Scheme 

We first briefly describe, informally, the original BBS [S] group signagure 
scheme. Formal details and security proofs can be found in [5j. Let Gi, G 2 
and G 3 be three multiplicative cyclic groups of large prime order p. Let gi 
be a generator of Gi and (72 a generator of G 2 . Let -0 be a computatble 
isomorphism from G 2 to Gi, with 'ip{g 2 ) = gi- (It is noted in [S] that 'ip is 
needed only for proofs of security. We need only to assume that it exists and 
is efficiently computable.) 

Let t : Gi X G 2 —)■ G 3 be a computable bilinear map: 

i{u'^,v^) = i{u,v)°'^ Vm G Gi, n G G 2 and a,b 
i{9u92) ^ 1 

We require that the q-Strong Diffie-Heilman (g-SDH) problem is hard in 
(Gi,G 2 ) and the Decision Linear Diffie-Heilman problem is hard in Gi: 
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The g-SDH problem in (Gi,G 2 ) is as follows: given a (g + 2)-tuple 

2 q 1 

(gi, ^ 2 , gl )92 ) ■ ■ ■ lOl ) input, output a pair > 2 ;), where x G Z^. 

The Decision Linear Diffie-Hellman problem is as follows: given m, n, h, 
■u“, G Gi as input, decide whether a + h = c. 

The BBS group signature scheme BBS = (BKeyGen, BJoin, BSign, BVerify, 
BOpen) where BKeyGen, BJoin, BSign, BVerify and BOpen denote group pub¬ 
lic key generation, group member secret key generation, group member sign¬ 
ing, group verihcation, and signer revealing algorithms, respectively, is as 
follows. (We will write xt—S' to denote the action of sampling an element 
from S uniformly at random and assigning the result to the variable x.) 

• BKeyGen: 

In key generation BKeyGen generates Gi, G 2 , G 3 , gi, ^ 2 , t/’ and t as 
described above. Let Gi \ {1 gi}, and set G Gi such 

that = h. Let yt—Z^, and set w = gj ^ G 2 . 

The group public key gpk will be {gi, g 2 ,u,v, h,w). 

The secret key of the group manager is gmsk = (7,771,772). Note that 
(771,772) is used to open signatures. 

Let iL be a hash function H : {0,1}* —)■ Zp. 

• BJoin(&, gmsk): 

Each group member b is given a secret key gsk^ = {Ah,Xb), where 

1 

Xb-^Z*, and Ab = gi'^'°'’ G Gi. 

• BSign(M,gsk;„gpk): 

For group member b to sign the message M using gpk = (gi, g 2 , u, v, h, w) 
and gsk^ = {Ab,Xb), let Zp, and compute Ti = u°‘, T 2 = v^, 

n = Abh^+^. 

Now let Tq, Tjs, Vxi rs^i Zp, and compute Ri = R 2 = 

S 4 = i ?5 = and 

S 3 = i{Ts,g2yH{Kw)-^--^H{h,g2r^^-^^^. 
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Compute c = H{M,Ti,T 2 ,T 3 , Ri, R 2 , R 3 , R 4 , R 5 ), and let (5i = x^a, 
62 = Xbl3. Compute Sa = + ca, <S /3 = + cjS, + cxb, 

ssi = rs^ + c 6 i and ss 2 = rs^ + 062 - 

The signature on M is a = (Ti, T 2 , T 3 , c, Sa, S 13 , s^, 

• BVerify(M, a, gpk); 

To verify a signature a = (Ti, T 2 , T 3 , c, s^, sp, s^, on the message 

M using the group public key gpk = {gi, g 2 ,u,v, h,w), compute Ri = 
i ?2 = v^^T 2 ^, R 4 = R 5 = and 




=i{T3,g2rR{Kw)-^’^-^^ 


i{h,g2) "'1 *"2 


f i{T 3 ,w) 

\i{9i,92) 


C 


The signature a is valid if c = iJ(M, Ti, T 2 , T 3 , Ri, R 2 , R 3 , Ra, Rb)- 
Otherwise it is invalid. 


• BOpen(M, a, gmsk, gpk); 

To open the signature, run BVerify(M, a, gpk). If a is a valid signature 
on M, then the hrst part of the signer’s secret key can be retrieved: 

A - Ts 

^ - rr^lrpr]2 • 

-^1 -^2 


4.2 An extension of the BBS Scheme 

Suppose that every group member b has some value in Zp assigned to it by 
the group manager. This value changes with time, so that at some time 
interval Tj, this value is r^j. We want to modify the BBS scheme in such 
a way that this value is bound to the group member’s signature and 
is visible from it. When Vbi changes, the group member is able to obtain 
an update without a secure channel. The group public key gpk will also 
have to be modihed accordingly using some public information. We will call 
this modihed scheme the BBS* scheme, and it consists of the algorithms 
(BKeyGen*, BJoin*, BUpdate*, BSign*, BVerify*, BOpen*). 
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• BKeyGen*; 


In addition to the parameters generated in BKeyGen, we have the fol¬ 
lowing public parameters: 

— Time intervals Tq, Ti, T 2 , .... 

— For each time internal Tj, we have a random base value ki G 
Gi \ { 1 gi}- a possible way to compute ki from Tj is using a 
public hash function, say H\ so that ki = H'{Ti) G Gi \ {1gi}- 

— A set of values IZ = {0,1, 2, m} C Zp, where m < p. In each 
time interval T* a group member b has a specihc value, denoted 
by Tbi G IZ assigned to it. 

For each value of r G 7^, and each time interval Tj we have a group 
public key denoted by gpk^^, 

gpki^ = {hir = 9i ■ K, g 2 , u, V, h, w). 

Hence we have m-|-1 group public keys gpk^^ in each time interval. The 
secret key of the group manager is as before, gmsk = ( 7 , 771 , 772 ). 

• BJoin*(6, gmsk); 

This is the same as BJoin(6,gmsk). Each group member b is given a 

1 

secret key gskf, = {Ab,Xb), where Xb<—Z*, and Ab = G Gi. 

• BUpdate*(6,f,rbi,gskj„gmsk); 

At time interval Tj, the group member b which has value ru may obtain 
an update of its secret signing key gsk^, = (Af,, Xb) as follows. 

1 

The group manager computes ki = H'{Ti), Ri = rcert* = 
and updates Ab to Au where Abi = Ab ■ rcertj. 

The group member b is given rcertj publicly. When b receives rcertj it 
Erst checks whether {(rcertj, = i{Ri,g 2 )- If so, it then updates 
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its secret signing key gsk^ = to gsk^j = {Ai,i,Xb)] otherwise the 

received rcerti is discarded (as it is corrupted or tampered with during 
the transmission). 

• BS\gn*{M,i,rbi,gskbi,gpki^J: 

To sign the message M at time interval Tj, a group member b with 
assigned value Vbi performs BSign(M, gsk^j,gpkj^^J. The signature on 

Ad is CT (^1 7 ^ 2 : ^ 3 : ^5 '^0:5 5 7 ^82 7 ^7 • 

• BVerify*(M, (T*,gpk); 

To verify the signature a* on M, signed by a group member with as¬ 
signed value r in the time interval Tj, i.e. a* = (Ti, T 2 , T 3 , c, Sa, Sjs, s^, ss^, Ss2,i, r), 
the veriher updates gpk to gpk^^ = {gur, g2,u,v, h,w) by computing 
giir = gi ■ kl- It then uses BVerify(M, cr, gpkj^) to verify if a is valid, 
where a = (Ti, T 2 , T 3 , c, s„, S/ 3 , 

• BOpen*(M, a*, gmsk, gpk); 

To open the signature a on M, signed by a group member with assigned 
value r in the time interval Tj, run BVerify*(M, a*, gpk) hrst. If the 
signature is valid then the hrst part of the signer’s secret key in time 
interval Tj can be retrieved: Abi = j,vT^v 2 ■ 

4.3 Security of the BBS* scheme 

We argue that the BBS* scheme is both correct and secure. 

It is straightforward to verify that the BBS* scheme is correct. In fact, 
each instance of the BBS* scheme is indeed a BBS scheme. 

The modihcation of BBS to BBS* consists of multiplying gi in the public 
key gpk with a public value /c[, sending rcertj publicly and using it to modify 
part of the user 6 ’s secret key Ab- We argue that neither of these changes 
affect the security of BBS; 
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• Multiplying gi with a public value: This does not affect the group 
manager’s secret key and does not allow forgery of group members’ 
secret keys. 

• Sending rcertj publicly: This does not reveal the secret values of 7 , 
Ah or Xb if BBS is secure. If an adversary could obtain 7 or Xb from 
rcertj then setting Ri = gi, the adversary could also obtain 7 or Xb from 
Ab, thus allowing it to forge further group members’ secret keys. 


5 Using BBS* to enable a privacy-aware scheme 

We now show how to deploy BBS* to enable a privacy-aware announcement 
scheme. This scheme has a centralised architecture with two off-line central 
authorities AS, RS, and vehicles (Vs) as end users. The roles of these entities 
are as described in Section |3.1[ The management of the reputation system 
is the same as the scheme of [S]. 

Let 7?. = {0,1,..., m}, m < p, represent the m -|- 1 reputation levels. At 
time interval Tj, a vehicle I 4 has a specihc reputation level, denoted by ru. 
The method on how to establish such a level for a vehicle is the same as the 
method used in the scheme of [S]. The group signature scheme BBS* allows 
the binding of the reputation level visibly to a group signature. 

Now we describe this new scheme in detail. We will follow the same 
presentation structure as used in Section 

5.1 Scheme Initialisation 

This is executed once only, when the announcement scheme is set up. 

1. The AS regulates its clock, and deploys its remote wireless communi¬ 
cation interfaces. 

2 . The RS creates a database, and installs Aggr and Detect. 
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3. The AS installs BBS*, TimeDiscount, and T and divides the time into 
time intervals (Tq, Ti, T 2 , ■ ■ ■ )■ 

4. The AS executes BKeyGen* to obtain {Gi,G 2 ,G 3 , gi, g2,'4’A^ H) and 
ASA public key is gpk and secret key is gmsk. 

5.2 Vehicle Registration 

This is executed when a new vehicle Vb requests to join the announcement 
scheme. It takes place in a secure environment: all communication is confi¬ 
dential and authenticated. 

1. The AS provides V with BUpdate*, BSign*, BVerify*, and gpk. 

2 . The AS and Vj, executes BJoin*(6,gmsk), and Vj, recieves its group 
member secret key gskf, = {Ab,Xb). 

3. The AS requests the RS to create a record in its database for vehicle 
Vb, indexed by Ab. 

5.3 Reputation Retrieval 

When a vehicle Vb drives into the proximity of a wireless communication 
interface at time Tj, it retrieves its reputation information as follows: 

1. Vb signs a reputation score request using gsk^j. This authenticates Vb 
to AS. This signature is then opened using BOpen* and AS is thus 
able to request the correct reputation score from RS. 

2. Upon retrieving {rbi,Vb,ti), the reputation score of Vb at the current 
time ti, from the RS, the AS computes H’s time discounted reputation 
scores (r', r'^^, • ■ ■ , r'+^) until 

r' -ix- 

3. The AS then calculates Rj = for public kj and rcert^ = RJ for 

j = i,... i + d. 


20 



4. The AS sends rcert*, rcertj+i, ..., rcertj+rf to Vf, publicly and keeps a 
record of them. 

5. Vb checks whether t(rcertj, = t{Rj,g 2 ) for j = + d. If 

so then it updates its signing key gsk = {Ab,Xb) to gskbj = {Abj,Xb) 
where Abj = Ab ■ rcertj, j = i,.. .i + d. In essence 14 and AS run 
BUpdate*(6, j,rfej,gskj,^.,gmsk) ior j = i,.. .i + d. 

5.4 Message Broadcast 

A message M is broadcast by 14 at time interval T* as follows: 

1 . 14 retrieves the current time from its clock and identihes its correspond¬ 
ing time interval, say Tj. 

2 . 14 uses BSign*(M, 4 Tbi, gsk^j, gpkj^^J to generate a signature a* on M, 
and forms a message tuple msg = {M,a*). 14 then broadcasts msg to 
its neighbouring vehicles. 

3. Upon receiving msg = (M, a*), a receiving vehicle 14 immediately iden¬ 
tihes the current time interval from its clock. 14 checks if j = i. If 
so then 14 uses BVerify*(M, a*, gpk) to verify a*. Upon successful ver- 
ihcation, 14 can now decide whether to trust the announcement based 
on its own policy. The message tuple msg is stored for future possible 
feedback reporting, li j ^ i or the verihcation fails then 14 does not 
consider 14 to be reputable, and thus discards M. 

5.5 Feedback reporting 

When 14 has experience of the event described by message M, it is able to 

judge the reliability of M. Then 14 can voluntarily report feedback. 

1 . 14 assigns a feedback / based on its experience about the reliability of 
M and forms a feedback report fr = (/, msg). 
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2. When W drives into the proximity of a wireless communication interface 
during time interval Tj, W sends fr and BSign*(fr, j, rrj, gskr-j, gpkjv^.) 
to 

3. The AS verihes K’s signature. If it is valid it runs BOpen*(msg, gmsk, gpk) 
to obtain Abi. It then sends the corresponding feedback / to RS. 

5.6 Vehicle Revocation 

The AS revokes the identihed malicious vehicle by no longer providing them 
with new rcertj in the future. The revoked vehicle will not be able to construct 
valid signatures without rcertj. 

5.7 Privacy and Robustness 

The privacy of this scheme, as in the scheme of [9], depends on the security of 
MEA+andTOA+. If BBS* is secure then all data sent by a vehicle is protected 
with respect to anonymity and unlinkability against all entites except for the 

kl5. 

Observe that our privacy-aware scheme still features the same robustness 
as the schemes of [U |20] against adversaries. An adversary is not able to im¬ 
personate an existing vehicle or forge a legitimate broadcast message. This 
is because group member signing keys are updated securely in BBS* by legit¬ 
imate vehicles, and external adversaries are unable to obtain a valid group 
member secret key. In addition, all approaches that can be used in |9l [20] to 
prevent internal adversaries conducting reputation manipulation can also be 
used in this new scheme. 

5.8 A note on Computational and Communication Over¬ 
heads 

Group signatures are generally regarded as resource intensive and time- 
consuming. We briefly comment on the additional computational and com- 
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munication burden in using BBS* for VANET announcements compared to 

0 . 

Firstly, there are VANET announcement schemes using the group sig¬ 
nature scheme BBS and they are shown to be feasible theoretically and by 
simulation, for example, in pTl [H]. The new BBS* scheme is based on BBS, 
with a few more operations: 

• BUpdate* performs one check and one calculation. The check involves 2 
pairings, 1 point multiplication and 1 exponentiation. The calculation 
requires 1 point multiplication. 

• BVerify* requires 1 additional point multiplication and 1 exponentia¬ 
tion. 

Altogether the BBS* scheme requires 2 extra pairings, 3 extra point mul¬ 
tiplications and 2 extra exponentiation compared to [^. However, this is 
instead of having to establish a secure and private channel for reputation 
retrieval, which requires encryption as well as a digital signature. For a ve¬ 
hicle to sign a request and to verify a signature from the server will take 1 
pairing, 2 point multiplications and 3 exponentiations (1 exponentiation for 
signing, 2 exponentiation, 2 multiplication, 1 pairing for verihcation) for the 
Boneh-Boyen scheme |1]. Hence the computational overhead to being able to 
retrieve private values in public is about 1 pairing and 1 point multiplication. 

To be conservative, even for 128-bit security (most proposals are using 
80-bit security which is sufficient since most VANET announcements are 
ephemeral) and using only 400 MHz processor [29], 1 pairing will take 5 ms 
[T] and 1 multiplication will take 0.5 ms (using 200 000 cycle per second for 
multiplication, which is also conservative according to [E].) Hence we add 
at most 5.5 ms. 

As for signature length, we have two more elements, i and r;,*. We take 
4 bytes for i (a time-related parameter, 4 bytes are sufficient for timestamps 
|2lj ) and 170 bits for (which is an element of Zp, and p is 170 bits for 
80-bit security). This adds to the original BBS signature of length 1533 
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bits [5], so we have a signature for BBS* with length 1735 bits (about 217 
bytes), and this is under 250 bytes which is the requirement for vehicular 
communications [T8] . 

The additional download for BUpdate* is public and rcertj is also 170 bits 
only, so this does not present a barrier. 

6 Conclusion 

We have shown a reputation-based announcement scheme in VANETs which 
supports flexible decision-making using explicit multiple reputation levels 
- a vehicle may decide on its own policy whether to trust announcements 
of different types depending on the announcing vehicle’s reputation score. 
It also allows private reputation score retrieval via a public channel, thus 
preserving user privacy across the wireless interface. This is enabled by our 
construction of a new primitive based on a group signature scheme. Two 
questions are of interest: 

1. Can this privacy-aware reputation scheme be used for other types of 
network? The robustness of this scheme against reputation manipu¬ 
lation depends on the relatively slow propagation of data. VANETs 
meet this requirement since data transmissions is largely achieved by 
short-range wireless medium. How robustness can be acheived while 
guaranteeing privacy in a network with fast propagation, such as the 
internet, seems to be a hard problem. 

2 . Are there other applications for the primitive BBS*? This offers a 
feature that allows a user to demonstrate some property within a group 
signature. In this particular application, the property is presented by 
two values, a time and a reputation score. In general, the property 
could be anything, such as a degree, a location or a position, and 
multiple properties can be bound together in one signature. Similar 
ideas have been considered in other areas, such as anonymous credential 
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and attribute-based signatures, and we believe BBS* may turn out to 
be of independent interest. 
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